b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nBriefing Report\n\n\n\n\n       ECHO Data Quality Audit \xe2\x80\x93 Phase I\n       Results: The Integrated Compliance\n       Information System Needs Security\n       Controls to Protect Significant\n       Non-Compliance Data\n\n       Report No. 09-P-0226\n\n       August 31, 2009\n\x0cAbbreviations\n\nDMR         Discharge Monitoring Report\nECHO        Enforcement and Compliance History Online\nEPA         U.S. Environmental Protection Agency\nICIS        Integrated Compliance Information System\nIDEA        Integrated Data for Enforcement Analysis\nNPDES       National Pollutant Discharge Elimination System\nOECA        Office of Enforcement and Compliance Assurance\nOIG         Office of Inspector General\nPCS         Permit Compliance System\nSNC         Significant Non-Compliance\n\x0c                                                                                                             09-P-0226\n                      U.S. Environmental Protection Agency                                              August 31, 2009\n                      Office of Inspector General\n\n\n                      At a Glance\n                                                                            Catalyst for Improving the Environment\n\n\nWhy We Did This Review               ECHO Data Quality Audit \xe2\x80\x93 Phase I Results:\n                                     The Integrated Compliance Information System\nThis review, conducted by            Needs Security Controls to Protect Significant\nKPMG, LLP, on behalf of the\nOffice of Inspector General,         Non-Compliance Data\nsought to evaluate the quality and\nintegrity of data that resides in     What KPMG Found\nthe U.S. Environmental\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)          End users of the Permit Compliance System and Integrated Compliance\nEnforcement and Compliance           Information System National Pollutant Discharge Elimination System\nHistory Online (ECHO) system.        (ICIS-NPDES) can override the Significant Non-Compliance (SNC) data field\n                                     without additional access controls. This occurs because EPA has not\nBackground                           implemented database security features to restrict access to this field. Further,\n                                     the ICIS-NPDES database edit checks do not prevent access to the SNC field.\nECHO provides integrated             As a result, users can change original data without authorization, which could\ncompliance and enforcement           directly affect ICIS-NPDES data made available to the public via ECHO.\ninformation for approximately\n800,000 regulated facilities         Other than the above weakness, KPMG noted that EPA implemented many\nnationwide. ECHO allows users        effective processes designed to populate the Integrated Data for Enforcement\nto find inspection, violation,       Analysis (IDEA) database, which the ECHO system uses to create reports for\nenforcement action, informal         its users. KPMG noted that many of the EPA systems that feed data to IDEA\nenforcement action, and penalty      have front-end edit checks designed to help ensure data quality. Further,\ninformation about facilities for     KPMG noted that making data available through ECHO is a very complex\nthe past 3 years. ECHO contains      process that involves many data systems. KPMG noted that EPA has\ninformation for the facilities       developed a methodology to manage the States\xe2\x80\x99 data conversions. KPMG\nregulated under the following        noted that EPA\xe2\x80\x99s data mapping and system life-cycle documentation, data\nenvironmental statutes: Clean        migration tools, and lessons learned processes are effective in managing this\nAir Act Stationary Source            complex data conversion process.\nProgram, Clean Water Act\nNational Pollutant Discharge          What KPMG Recommends\nElimination System, and\nResource Conservation and            The Director, Office of Compliance, Office of Enforcement and Compliance\nRecovery Act.                        Assurance (OECA), should implement database security features to limit the\n                                     end users\xe2\x80\x99 ability to change the SNC code in ICIS-NPDES.\n\nFor further information,             On August 6, 2009, the EPA Office of Inspector General met with OECA to\ncontact our Office of\n                                     provide a briefing report of KPMG\xe2\x80\x99s work to date and discuss the SNC code\nCongressional, Public Affairs and\nManagement at (202) 566-2391.        finding. OECA provided informal comments on the finding. OECA plans to\n                                     explore additional options to restrict manual SNC code override in\nTo view the full report,             ICIS-NPDES.\nclick on the following link:\nwww.epa.gov/oig/reports/2009/\n20090831-09-P-0226.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n\n                                         August 31, 2009\n\nMEMORANDUM\n\nSUBJECT:               ECHO Data Quality Audit \xe2\x80\x93 Phase I Results:\n                       The Integrated Compliance Information System Needs\n                       Security Controls to Protect Significant Non-Compliance Data\n                       Report No. 09-P-0226\n\n\nFROM:                  Rudolph M. Brevard\n                       Director, Information Resources Management Assessments\n                       Office of Mission Systems\n\nTO:                    Cynthia Giles\n                       Assistant Administrator\n                       Office of Enforcement and Compliance Assurance\n\n\nAttached is the briefing report for the first phase of the data quality audit of the Enforcement and\nCompliance History Online system. KPMG, LLP, conducted this audit on behalf of the Office of\nInspector General (OIG) of the U.S. Environmental Protection Agency (EPA). This report\ncontains findings that describe the problems KPMG identified and corrective actions KPMG\nrecommends. This report represents the opinion of KPMG and does not necessarily represent the\nfinal EPA position. Final determinations on matters in this report will be made by EPA\nmanagers in accordance with established audit resolution procedures.\n\nKPMG conducted this portion of the audit from July 2008 to June 2009 at EPA Headquarters in\nWashington, DC, in accordance with generally accepted government auditing standards issued\nby the Comptroller General of the United States. These standards require planning and\nperforming the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for\nfindings and conclusions. KPMG believes that the evidence obtained provides a reasonable basis\nfor the findings and recommendations.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport. We are requesting your response within 90 calendar days. You should include a\ncorrective actions plan for agreed upon actions, including milestone dates.\n\x0cWe would like to thank your staff for their cooperation. We have no objections to the further\nrelease of this report to the public. This report will be available at http://www.epa.gov/oig.\n\nIf you or your staff has any questions regarding this report, please contact me at (202) 566-0893\nor brevard.rudy@epa.gov; or Harry Kaplan, Project Manager, at (202) 566-0898 or\nkaplan.harry@epa.gov.\n\n\n\n\ncc:\nLisa C. Lund\nGwendolyn Spriggs\n\x0c\x0cBriefing Report\n\n\n\nECHO Data Quality Audit \xe2\x80\x93 Phase I\nResults: The Integrated Compliance\nInformation System Needs Security\nControls to Protect Significant Non-\nCompliance Data\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n                          Agenda\n\xc2\x8a Objective and Scope\n\xc2\x8a Progress To Date\n\xc2\x8a Planned Tasks\n\xc2\x8a Observations and Recommendations\n\xc2\x8a Questions & Answers\n\n\n\n\n                            -1-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n                      Objective and Scope\n The overall audit objective is to evaluate the processes and controls\n used to support the quality of data that is ultimately presented\n through Enforcement Compliance History Online (ECHO) system\n queries.\n The audit scope includes two phases:\n  \xc2\x8a Phase I -- Data integrity review of processes and controls used to\n    populate the Integrated Data for Enforcement Analysis (IDEA)\n  \xc2\x8a Phase II -- Data quality processes and controls for select source\n    systems that feed IDEA\n\n We selected and reviewed the Permit Compliance System (PCS) and Integrate\n Compliance Information System National Pollutant Discharge Elimination\n System (ICIS-NPDES) as the source systems for this project.\n\n                                   -2-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n                      Progress Update\n\xc2\x8a We have conducted meetings with officials from:\n   \xc2\xbe Office of Enforcement and Compliance Assurance\n   \xc2\xbe Office of Environmental Information\n   \xc2\xbe Veterans Affairs Office of Inspector General to discuss\n     system mainframe controls\n   \xc2\xbe State of Georgia to discuss ICIS-NPDES\n   \xc2\xbe Region IV to discuss PCS and ICIS-NPDES\n\n\n\n\n                               -3-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n                 Progress Update (cont)\n\xc2\x8a We have gained an understanding of the process used to\n  populate IDEA and ECHO.\n\xc2\x8a We have gained an understanding of the PCS and ICIS-\n  NPDES data elements and related data quality processes.\n\xc2\x8a We have gained an understanding of the State conversion\n  process from PCS to ICIS-NPDES.\n\n\n\n\n                              -4-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n                       Planned Tasks\n\xc2\x8a Perform testing of key PCS and ICIS-NPDES business rules to\n  validate data logic.\n\xc2\x8a Trace a sample of PCS and ICIS-NPDES data elements into IDEA\n  to test IDEA data quality.\n\xc2\x8a Review select supporting source documentation (e.g., DMRs)\n  supporting PCS and ICIS-NPDES, and ultimately IDEA.\n\xc2\x8a Review select PCS and ICIS-NPDES controls over data field\n  security.\n\xc2\x8a Test controls over the conversion process from PCS to ICIS-\n  NPDES\n\n\n\n                               -5-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n        Observations and Recommendations\n\xc2\x8a Observation #1:\n  EPA appears to have effective processes designed to populate\n  IDEA from the source systems.\n\n\n\n\n                              -6-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n          Observations and Recommendations\n\xc2\x8a   Observation #2:\n    With such a large and complex data conversion, EPA has\n    developed a methodology for the States conversion process\n    that includes mapping documentation, system development\n    life-cycle documentation, migration tools, and a lessons\n    learned process after each state conversion that is used to\n    update the methodology for future conversions.\n    Some key parts of this process\n    \xc2\xbe   Workgroup meeting and conference calls;\n    \xc2\xbe   Test runs for the data conversion;\n    \xc2\xbe   Data element mapping from PCS to ICIS-NPDES\n\n\n                                   -7-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n     Observations and Recommendations (cont)\n\xc2\x8a Observation #3:\n  ICIS-NPDES has front end edit checks designed to help ensure\n  data quality. For example, we noted that ICIS-NPDES provides\n  warnings if DMR data exceeds authorized limits. Note that we\n  have not yet tested the full effectiveness of the edit check\n  controls.\n\n\n\n\n                             -8-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n     Observations and Recommendations (cont)\n\xc2\x8a Observation #3: (Continued)\n  During our ICIS-NPDES demonstration that the Georgia data\n  steward showed us, there appears to be strong front end edit\n  checks that are designed to ensure data quality. The data\n  steward told us that the new screen layout made data entry\n  \xe2\x80\x9cuser friendly\xe2\x80\x9d and more intuitive\n  Information from the DMR is the source for information entered\n  into ICIS-NPDES.\n  When data is entered into the data field, it is checked to ensure\n  it is the correct data type (i.e. alpha, numeric). If the correct\n  data type is not entered the data entry clerk will be alerted to\n  this when they move to the next field.\n\n                                -9-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n     Observations and Recommendations (cont)\n\xc2\x8a Observation #3: (Continued)\n  If the DMR amount is greater than the permit amount allowed, a\n  warning screen informs the data entry clerk that the amount\n  exceeds the limit. At this point the data entry clerk will then\n  review the input and if a correction is needed will make the\n  correction and if nothing is required will continue with data\n  entry.\n\n\n\n\n                              -10-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n     Observations and Recommendations (cont)\n\xc2\x8a Observation #4:\n\n  End users can override the ICIS-NPDES Significant Non-\n  Compliance (SNC) data field without additional access controls.\n  There are compensating detective controls, such as audit trails\n  that document who changed the SNC field, however, these are\n  only effective if the audit logs are actively reviewed on a regular\n  basis.\n\n  Management has not fully implemented database security\n  features to restrict access to this field to authorized users.\n  ICIS-NPDES also does not have any business rules to prevent\n  this from happening.\n\n                                -11-\n\x0cECHO Data Quality Audit\nPhase I - Results\n\n\n      Observations and Recommendations (cont)\n\xc2\x8a Observation #4: (Continued)\n\n   The lack of a preventative control around the SNC data field\n   allows users to change original data without authorization that\n   could directly impact the data quality of this element in ICIS-\n   NPDES which are then passed onto Integrated Data for\n   Enforcement Analysis (IDEA) and ECHO.\n\n\xc2\x8a Recommendation: The Director, Office of Compliance\n  should:\n\n  1. Implement ICIS database security features to limit the end\n     users\xe2\x80\x99 ability to change the SNC code.\n\n                                -12-\n\x0c'